![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://lemy.lol/api/v3/image_proxy?url=https%3A%2F%2Ffry.gs%2Fpictrs%2Fimage%2Fc6832070-8625-4688-b9e5-5d519541e092.png)
That’s the ecosystem. WordPress itself is pretty basic, these things attack plugins, and their often not-very-experienced creators and users. The thing with WordPress is that this kind of vulnerability comes with the problem space, not the particular solution. If there was a different product in the same space, it would not fare better by default.
Also, I’d bet that a ton of CVEs are filed for C++ libraries, yet nobody is harping on about how insecure C++ is.
That’s my point, I always have a reasonable suspicion of anything I get from the Internet, but I don’t trust any site just because some underpaid functionary or corporate employee in its respective country said it’s good.